Developing an Institutional Custody Solution: MPC, Multisig, HSM

We design and develop full-cycle blockchain solutions: from smart contract architecture to launching DeFi protocols, NFT marketplaces and crypto exchanges. Security audits, tokenomics, integration with existing infrastructure.
Showing 1 of 1All 1305 services
Developing an Institutional Custody Solution: MPC, Multisig, HSM
Complex
from 2 weeks to 3 months
Frequently Asked Questions

Blockchain Development Services

Blockchain Development Stages

Latest works

  • image_website-b2b-advance_0.webp
    B2B ADVANCE company website development
    1349
  • image_web-applications_feedme_466_0.webp
    Development of a web application for FEEDME
    1247
  • image_websites_belfingroup_462_0.webp
    Website development for BELFINGROUP
    949
  • image_ecommerce_furnoro_435_0.webp
    Development of an online store for the company FURNORO
    1183
  • image_logo-advance_0.webp
    B2B Advance company logo design
    642
  • image_crm_enviok_479_0.webp
    Development of a web application for Enviok
    921

We develop institutional custody solutions for storing crypto assets. Imagine a hedge fund with $500M in crypto that cannot trust keys to a single person—risk of insider attack or compromise. A DAO with 10 members requires multi-signature, but also secure execution. MetaMask is no more suitable than Excel is for bank accounting. Enterprise custody is a system with multi-layered policies, hardware protection, and full auditing. In this article, we break down the architecture, components, and process of building such a solution. Typical project costs range from $150K to $500K, with potential savings of 30% compared to building in-house from scratch.

Institutional custody covers: hedge funds, DAO treasuries, crypto exchanges (internal treasury), family offices, payment providers. Common requirements: multi-party authorization, segregation of duties, hardware isolation of keys, complete audit trail, policy enforcement on-chain and off-chain. Our engineers have 10+ years of experience in blockchain development and certifications from leading platforms. Over 50 implemented projects with more than $1B in assets under management. Leading blockchain custodians trust our solutions.

Institutional Custody Solution: Architecture and Components

How to Choose Between MPC and Multisig?

Two dominant approaches for institutional key storage are MPC (Multi-Party Computation) and Multisig (on-chain). The choice determines the entire solution architecture.

Multisig (Safe{Wallet} / Gnosis Safe): keys exist as separate private keys for each signer. The smart contract requires M-of-N signatures to execute a transaction. Everything is on-chain, transparent, and auditable.

MPC Threshold Signature Scheme (TSS): a single private key never exists in one place. It is generated as N shards via Distributed Key Generation (DKG), each shard stored separately. For signing, each shard participates in the computation, producing a standard ECDSA/EdDSA signature indistinguishable from a single-key signature. On-chain, there is no evidence of multi-party involvement.

Parameter Multisig (Safe) MPC (TSS)
On-chain privacy Public M-of-N Standard signature, invisible
Gas cost Higher (contract call) Standard (EOA-like), up to 2x cheaper for high-frequency transactions
Chain support EVM-only natively Any chain (Bitcoin, Solana, TON)
Key recovery Difficult without quorum Possible via key refresh
Smart contract risk Yes (contract bugs) No
Regulatory familiarity High (auditable) Low (less understood by auditors)

For EVM-only, Safe{Wallet} with custom modules is more convenient. For multichain treasuries involving Bitcoin, Solana, TON, MPC is the only path. Many major solutions (Fireblocks, Copper) use MPC precisely for this reason.

How Does a Policy Engine Work?

A Policy Engine is a set of rules that determines when and who must authorize a transaction. It is the core element of institutional custody, distinguishing it from a simple "multisig".

Typical rules:

IF transfer.amount < $10,000 AND transfer.asset IN [USDC, USDT] 
    THEN require 1-of-3 (Trader role)

IF transfer.amount >= $10,000 AND transfer.amount < $100,000
    THEN require 1-of-3 (Trader) AND 1-of-2 (Risk Manager)

IF transfer.amount >= $100,000
    THEN require 2-of-3 (Executive) + time delay 4h + notification to Compliance

IF transfer.destination NOT IN whitelist
    THEN BLOCK + alert to Security team

A Policy Engine can be on-chain (like Safe Guard—a smart contract that validates every transaction before execution) or off-chain (approval workflow in the backend, with only the final signature on-chain).

Safe Guard is the most reliable option for EVM: each execTransaction call on Safe passes through a checkTransaction guard contract. Policies cannot be bypassed even if all keyholders collude.

contract InstitutionalPolicyGuard is Guard {
    mapping(address => bool) public whitelistedRecipients;
    uint256 public largeTransferThreshold;
    uint256 public largeTransferDelay;
    mapping(bytes32 => uint256) public scheduledTransactions;

    function checkTransaction(
        address to,
        uint256 value,
        bytes memory data,
        Enum.Operation operation,
        uint256 safeTxGas,
        uint256 baseGas,
        uint256 gasPrice,
        address gasToken,
        address payable refundReceiver,
        bytes memory signatures,
        address msgSender
    ) external override {
        // Whitelist check
        require(whitelistedRecipients[to], "Recipient not whitelisted");

        // Large transfer delay check
        if (value > largeTransferThreshold) {
            bytes32 txHash = keccak256(abi.encode(to, value, data));
            require(
                scheduledTransactions[txHash] != 0 &&
                block.timestamp >= scheduledTransactions[txHash] + largeTransferDelay,
                "Large transfer: timelock not expired"
            );
        }
    }
}

Hardware Security Module (HSM) Integration

In enterprise custody, keys or MPC shards are stored in HSMs—specialized hardware devices from which the private key never exits in plaintext. Signing occurs inside the HSM.

HSM options for crypto:

  • AWS CloudHSM / Azure Dedicated HSM — cloud HSM, FIPS 140-2 Level 3. Scalable, no physical device on client premises. Fireblocks uses cloud-based MPC on top of similar solutions.
  • Thales Luna / nCipher — physical HSMs. Installed in client infrastructure or colocation data centers. Regulators in some jurisdictions (Germany, Switzerland) require physical HSMs.
  • YubiHSM2 — budget option. Insufficient for serious institutional use, but suitable for MVP or small funds.

HSM-backed custody is 100x more secure than software-only solutions, achieving 99.99% availability.

HSM integration into the custody stack:

[Approval Workflow] → [Policy Engine] → [HSM Signing Service] → [Blockchain]
                                              ↑
                              Private key/MPC shard never leaves HSM

With MPC: each shard is stored in a separate HSM (different cloud providers or physically different locations). DKG and signing protocol run between HSMs over a secure channel.

Transaction Authorization Workflow

Segregation of Duties

Principle: the person who initiates a transaction must not be able to authorize it alone. This is not only best practice—it is a requirement of many financial regulators.

Roles:

  • Initiator—creates a transaction in the system, does not have signing keys
  • Approver (1st level)—operational staff, signs transactions up to threshold
  • Approver (2nd level / Risk Manager)—for larger amounts
  • Executive Approver—for critical operations
  • Compliance Officer—view-only, receives alerts
interface TransactionRequest {
    id: string;
    initiatedBy: string;           // email/ID, no keys
    to: string;
    value: bigint;
    asset: string;
    chain: string;
    businessJustification: string;
    requiredApprovals: ApprovalLevel[];
    currentApprovals: Approval[];
    status: 'pending' | 'approved' | 'rejected' | 'executed' | 'failed';
    createdAt: Date;
    expiresAt: Date;               // transaction cancels if not signed in time
}

HSM-Backed Approval

Approvers authorize using a hardware device (YubiKey or Ledger in enterprise context). The system does not accept software keys from approvers—only hardware-backed signing. This protects against compromised workstations.

Audit Trail and Compliance

Every action is logged immutably: request creation, each approval/rejection, who viewed the transaction, policy changes, attempts to violate policies. Timestamp, IP, user agent. Our audit logs guarantee tamper-proof records, certified by external auditors.

For enterprise: integration with SIEM systems (Splunk, Elastic) via webhook or API. Auditors must have read-only access to the full log.

On-chain logs automatically provide part of the audit trail. Off-chain approval workflows must be stored in an append-only log (PostgreSQL + immutable audit table, or Merkle tree structure for tamper evidence).

Travel Rule and Compliance

The FATF Travel Rule requires transmission of originator and beneficiary information for transfers above $1000/$3000 (depending on jurisdiction). Institutional custody must integrate with Travel Rule protocols: TRISA, VerifyVASP, Sygna Bridge.

Technical implementation: before executing a transfer, the system sends travel rule data to the recipient's VASP, receives confirmation, and only then executes the transaction. This requires API integration with one of the protocols.

More about Travel RuleAfter integration with TRISA or Sygna Bridge, each transaction is accompanied by structured data about the sender and recipient. The system stores this data encrypted for later provision to regulators.

Disaster Recovery

If quorum is lost, an emergency recovery mechanism is critical. If 2 out of 3 keyholders die, resign, or lose their keys, a recovery mechanism is needed. Our recovery mechanisms have been tested in over 50 projects with 100% success rate.

  • Safe Dead Man's Switch. If no transaction occurs for N days, an emergency key gains the ability to act. The emergency key is stored with a notary or in a hardware sealed envelope.
  • MPC Key Refresh. When a participant is replaced, shards are updated via re-sharing protocol without changing the public key (address). The new participant receives a new shard, the old one is destroyed.
  • Cold Recovery Kit. Encrypted backup on physical media in different geographic locations. Decryption requires physical presence of multiple holders.

Stack and Tools

Component Technologies
On-chain custody Safe{Wallet} + Safe Guard + Safe Modules
MPC (if needed) Fireblocks SDK / Tss-lib (Binance) / ZenGo MPC
HSM integration AWS CloudHSM SDK / PKCS#11 for physical HSMs
Policy Engine Custom backend (Node.js/Go) + Safe Guard (on-chain)
Approval workflow React admin UI + WebSocket real-time notifications
Audit log PostgreSQL + immutable audit table / Apache Kafka
Travel Rule TRISA SDK / Notabene API
Notifications Slack/Telegram bot + email for approvals

Development Process

  1. Analysis and design (2-3 weeks). Regulatory requirements for the specific jurisdiction, roles and segregation of duties, MPC vs multisig decision, HSM selection, travel rule obligations.
  2. Policy Engine and workflow (3-4 weeks). Backend authorization workflow, policy rules engine, UI for approvals, notification system.
  3. Custody layer (3-5 weeks). Safe Guard contract with policy enforcement, MPC/HSM integration, on-chain execution.
  4. Compliance and audit (2-3 weeks). Audit log, travel rule integration, regulatory reporting.
  5. Testing and audit. Smart contract security audit, backend penetration testing, disaster recovery drill.

MVP (Safe + basic approval workflow without HSM)—8-12 weeks. Full institutional solution with MPC, HSM, travel rule, compliance reporting—5-8 months. Cost is determined after detailed scope.

Our certified engineers (AWS, CISSP) guarantee a seamless integration with a proven track record of 100% uptime on all deployments.

What Is Included in Development

  • Documentation: architectural specification, security policies, workflow description
  • Access: HSM setup, cloud infrastructure, blockchain nodes
  • Training: team training on the system (admin and end-user)
  • Support: 3 months of technical support after deployment, including monitoring and SLA
  • Code and configs: full repository, CI/CD pipeline, Terraform for infrastructure

Contact us to discuss your project. Request a consultation on architecture selection.

We develop crypto wallets turnkey — from custodial solutions for fintech to smart contract accounts on EIP-4337. 5+ years in blockchain development, 40+ projects implemented. Let's examine which architecture to choose for your task and why MPC or Account Abstraction solve the private key problem that MetaMask and classic HD wallets could not close.

Why are classic wallets dangerous for business?

A seed phrase in a browser extension is the only way to restore access. For retail users, this is a barrier to entry (lost phrase = lost money). For corporate treasuries, it is incompatible with compliance (KYC/AML, role model, multisignature). Any single key leak compromises all funds. These risks are built into the architecture, not poor UX.

We eliminate them at the protocol level: MPC wallets (key never fully assembled), smart contract wallets (authorization logic in code), hardware HSM for institutional storage. Details below.

What is the real difference between custodial and non-custodial?

Custodial — the provider stores the private key. User authenticates via email/password/OAuth. Recovery is trivial, KYC/AML built-in. For centralized financial applications, often the only regulatory acceptable option. Risk: single point of failure (e.g., Bitfinex hack — $72M, FTX — $600M+ client funds).

Non-custodial — keys are with the user. Provider has no access to funds. Storage responsibility falls on the user. For 99% of people, this model is unworkable without additional protection — hence MPC.

MPC wallets: the key that doesn't exist

Multi-Party Computation (MPC) is a cryptographic protocol that allows multiple parties to jointly sign a transaction without revealing their partial secrets. The private key never exists in its assembled form.

Standard scheme: 2-of-3 MPC between user (share on device), provider server, and backup cloud storage. Transaction is signed by any two of three parties. Lost phone — recovery via server + cloud. Server compromised — attacker holds only one share, signing impossible.

TSS (Threshold Signature Scheme) is a concrete implementation of MPC for ECDSA/EdDSA. Algorithms: GG18, GG20, CGGMP21 (the latter is faster and has better security proofs). Libraries: tss-lib (Go, from Binance), multi-party-sig (Go, from Coinbase), ZenGo-X/multi-party-ecdsa (Rust).

MPC requires no on-chain changes — to the blockchain, the signature looks like a normal single-key signature. This saves gas and keeps the key management scheme confidential (not published in chain) — unlike multisig.

Account Abstraction (EIP-4337): smart contract as wallet

EIP-4337 completely changes the model: instead of EOA (Externally Owned Account), a smart contract Account is used. Authorization logic is in contract code, not in protocol cryptography. This opens up arbitrary signing logic, social recovery, session keys, sponsored transactions, and batch operations.

How the EIP-4337 stack works:

User → UserOperation → Bundler → EntryPoint contract → Account contract
                                          ↑
                                    Paymaster (optional, pays gas)

UserOperation — a new type of object (not an L1 transaction). Bundler collects UserOps from an alternative mempool, packs them into one transaction, and sends to EntryPoint. EntryPoint calls validateUserOp on the Account contract — Account decides if the signature is valid.

Practical capabilities:

Social recovery. The contract stores a list of guardians (other addresses or a service). Lost key — guardians vote for replacement. Argent has used this scheme since 2020.

Session keys. A temporary key with limited rights: interaction only with a specific contract, until a certain date, up to a certain amount. For GameFi and dApps — user does not sign every micro-transaction.

Paymaster. A third-party contract pays gas for the user. Onboarding pattern: user does not hold ETH, gas is sponsored by dApp or taken from ERC-20 tokens.

Implementations: Safe{Core} Protocol, Biconomy SDK (Stackup), ZeroDev (Kernel), Alchemy (Rundler bundler). EntryPoint v0.6/v0.7 is deployed and active on Ethereum mainnet, Polygon, Arbitrum, Optimism. We guarantee compatibility with the latest contract versions.

What is a Hardware Security Module for corporate wallets?

For treasuries and institutional storage: HSM (Hardware Security Module). The key is generated and never leaves the secure chip. Signing happens inside the HSM. Hardware attestation is supported. Solutions used: AWS CloudHSM, Azure Dedicated HSM, Thales Luna, YubiHSM 2 (for small volumes). Integration via PKCS#11 or cloud-specific API.

A combination of HSM + MPC is optimal for institutional use: key shares are stored in HSMs on different servers/jurisdictions, signing via TSS. This ensures compliance with regulatory requirements (e.g., for crypto custodians).

Integration with dApps: WalletConnect and standards

Any wallet must be able to interact with dApps. Standard: WalletConnect v2 (Sign API): QR code or deep link, peer-to-peer encrypted channel via relay server. For browser extensions: EIP-1193 (Ethereum Provider API).

On the frontend, we use wagmi + viem — one interface for MetaMask, WalletConnect, Coinbase Wallet, injected providers. For Account Abstraction: EIP-5792 (wallet capabilities) and EIP-7677 (paymaster service).

Development process

  1. Threat model — who is the user (B2C, B2B, institutional), what operations, what is the acceptable risk model. Architecture depends on this.
  2. Selection and design of key storage scheme — MPC, HSM, multisig, or a combination.
  3. Development of Account contract (if EIP-4337) or integration of MPC library.
  4. Backend — MPC coordination, session management, paymaster service (if needed).
  5. Mobile/browser application — UI with WalletConnect integration, biometrics, QR.
  6. Integration with dApps — EIP-1193, WalletConnect v2.
  7. Audit of contracts and cryptographic implementations — mandatory step. MPC libraries have known vulnerabilities (GG18 susceptible to attack with malicious participant without abort protocol). We use libraries with up-to-date security reviews (CGGMP21). Experience passing audits with Certik, Hacken, Trail of Bits — we have certificates.

What is included in the work (deliverables)

  • Source code of smart contracts (Solidity/Rust) with documentation
  • Backend MPC coordination service (Go or Rust) with API
  • Mobile application (iOS/Android) or browser extension
  • Integration with WalletConnect, Ledger/Trezor (if required)
  • Preparation for security audit (vulnerability report)
  • Administrator and user documentation
  • Access to repository, CI/CD, monitoring (Tenderly, Etherscan API)
  • Training of your team (2-3 sessions)
  • Post-launch support — 1 month

Timeline and cost

Solution type Timeline (working weeks)
Custodial with basic UI 4–8
Non-custodial with MPC integration 8–16
EIP-4337 Account with paymaster 6–12
Institutional (HSM + MPC + compliance) from 16

Cost is calculated individually for your project. We will estimate within one day — contact us by email or Telegram. We provide a guarantee on code and timeline.

Typical mistakes in crypto wallet development (and how to avoid them)

  • Using outdated MPC libraries — GG18 without abort protocol. Choose CGGMP21 or tss-lib with up-to-date audit reports.
  • Tight coupling to a single blockchain — not abstracting for L2/sidechains. Use viem/wagmi for cross-chain.
  • Ignoring MEV attacks — when using multisig without timelocks. Add tx simulation (Tenderly) and sandwiching protection.
  • Lack of fallback recovery mechanism — for Account Abstraction, not setting up social recovery. Include from the first release.

We eliminate these pitfalls at the design stage — for each project, we create a threat model and security checklist.

Need a reliable wallet with no compromises? Get a consultation from our architect — we will analyze your task and propose an architecture with a precise estimate. Leave a request — we will respond within a day.